This article covers setting up both SAML-based single sign-on and SCIM-based user and group provisioning.

Setting up SAML-based single sign-on (SSO)

SAML-based single sign-on (SSO) gives members access to Fulcrum through an identity provider (IdP) of your choice. SSO is available on Fulcrum Enterprise accounts and can be enabled by your Account Manager.

Fulcrum’s SSO can be used with any directory management system that supports the SAML standard; we’ve also published apps with two of the most popular identity management platforms: Okta and Microsoft’s Azure Active Directory service. Each platform provides preconfigured apps that simplify provisioning within your directory.

Our SSO integration isn’t limited to these platforms, however. Other SAML-based systems that work with Fulcrum include Auth0, G Suite, Bitium, Microsoft ADFS, OneLogin, Centrify, and more.

What to Expect after Enabling SSO

Fulcrum supports a mixed environment of both managed (SSO) and unmanaged (Standard Fulcrum login) users.

Existing unmanaged members can be migrated to managed members if they are not members of any other Fulcrum Organizations.
SSO managed members can have the same email as existing Fulcrum system (unmanaged) members.
Only members with an Owner system role can add unmanaged members once SSO has been enabled.

Step 1: Configure your Identity Provider

To set up SSO for your Fulcrum organization, you'll need to create a connection between Fulcrum and your IdP. Fulcrum SSO can be configured to use any IdP that supports the SAML 2.0 specification.

Fulcrum supports Service Provider (SP) and Identity Provider (IdP) Initiated SSO.
Fulcrum supports Just In Time (JIT) user provisioning.
Fulcrum expects the following attributes in the SAML response: first_name, last_name, email. The role attribute is optional and will default to Fulcrum's default role if omitted.

Step 2: Exchange Metadata

Once your IdP is configured, send your SAML metadata to your Fulcrum Account Manager. We will establish a domain for your organization, ingest your metadata and provide the appropriate metadata for your IdP.

Remote System Parameters

SAML Endpoint URL (Identity Provider URL)
SAML Identity Provider Issuer (also called IdP Entity ID) (Optional)
SAML Public X.509 Certificate

Fulcrum Parameters

SAML Entity ID (Issuer)
SAML Single Sign On URL (Assertion Consumer Service URL) (ACS URL)
SAML Sign on URL (Shareable URL to Sign in to Fulcrum)

Step 3: Authenticate via SSO

Once SSO has been configured, you can authenticate to Fulcrum via your IdP on both the web and mobile apps. We can also optionally set a SAML timeout value to force authentication at a preset interval.

Note:

Be sure to review your Role settings to ensure the Default role is set as you expect before adding your SSO users.

When converting an unmanaged user to a managed user, users logged into the mobile app will be forced to re-authenticate when they next sync the app. The user will no longer be able to sign in using a password, and is signed out and will need to re-authenticate via SSO.

An organization can consist entirely of SSO managed members. Organizations must have at least one member and at least one Owner role.

Fulcrum requires the nameid and the email list in the IdP to match.

Setting up SCIM-based user and group provisioning

Fulcrum supports user and group provisioning with the System for Cross-domain Identity Management (SCIM) standard. SCIM provisioning allows you to provision and deprovision Fulcrum users and groups efficiently through your identity provider (IdP).

Step 1: Get the API Token

In Fulcrum, generate and copy the API token.

Step 2: Enter the API Token in your identity management platform

Go to your identity management platform, such as Okta or Azure Active Directory, and use the token generated in Step 1 as your authorization header.

Note:

The API tokens are bound to the user that created them. If the user or API key needs to be removed, the user provisioning SCIM integration needs to be updated.